From 3e0b8c60a2ad5befd3f83af63baf87a3dda717a9 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Tue, 12 Apr 2016 10:12:29 +0300 Subject: [PATCH] Reverse the order of ICMP and Broadcast checking in the default actions Signed-off-by: Tuomo Soini --- Shorewall/action.A_Drop | 11 +++++++---- Shorewall/action.A_Reject | 11 +++++++---- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/Shorewall/action.A_Drop b/Shorewall/action.A_Drop index 5ba82d8ce..0b65a38a3 100644 --- a/Shorewall/action.A_Drop +++ b/Shorewall/action.A_Drop @@ -23,14 +23,17 @@ COUNT # Auth(A_DROP) # +# ACCEPT critical ICMP types +# +# For IPv6 connectivity ipv6-icmp broadcasting is required so +# AllowICMPs must be before broadcast Drop. +# +A_AllowICMPs - - icmp +# # Don't log broadcasts # dropBcast(audit) # -# ACCEPT critical ICMP types -# -A_AllowICMPs - - icmp -# # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log. # diff --git a/Shorewall/action.A_Reject b/Shorewall/action.A_Reject index a5f4611aa..785374576 100644 --- a/Shorewall/action.A_Reject +++ b/Shorewall/action.A_Reject @@ -18,15 +18,18 @@ # COUNT # +# ACCEPT critical ICMP types +# +# For IPv6 connectivity ipv6-icmp broadcasting is required so +# AllowICMPs must be before silent broadcast Drop. +# +A_AllowICMPs - - icmp +# # Drop Broadcasts so they don't clutter up the log # (broadcasts must *not* be rejected). # dropBcast(audit) # -# ACCEPT critical ICMP types -# -A_AllowICMPs - - icmp -# # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log (these ICMPs cannot be # rejected).